Computers and the Internet
HTTP Secure (HTTPS)
When we browse the web, who can see what we're reading? Who can see the text we type into forms?
With standard HTTP, many people can: attackers intercepting packets, ISPs monitoring traffic, government agencies tapping into the fiber cables that make up the backbone of the Internet. Using well-known exploits, they can read the contents of every website and even inject their own contents.
That's why websites increasingly use HTTPS (Hypertext Transfer Protocol Secure) to protect the privacy of their users and prevent tampering. HTTPS is also known as HTTP over TLS, because it's implemented by encrypting HTTP requests and responses with the TLS protocol.
An HTTPS connection starts with the URL in the address bar. Standard HTTP connections have URLs that start with "http://". Secure HTTP connections have URLs that start with "https://".
⬆ Take a look at the address bar now. You should see a URL that starts with "https://www.khanacademy.org/". If it starts with "khanacademy.org/", try double clicking the address bar to see the full URL.
Of course, most users will just type the domain, like "khanacademy.org". Savvy users might even type a URL like "http://khanacademy.org". When a website supports HTTPS and wants to make sure that all of its users are served a secure connection, it should redirect all requests to the HTTPS version of their site.
🔍 Try typing in a few URLs of your favorite sites in a new tab and inspect the final URL in the address bar once the website loads. Did any of them redirect to HTTPS? Are any of them using HTTP that you really wish would use HTTPS?
When the browser loads a URL that starts with "https", it begins the process of setting up a secure connection over TLS. (Need a refresher on the process? Review our TLS article.)
Early in that process, the browser must verify the digital certificate of the domain. There are many ways a certificate can be invalid, and browsers will often display certificate errors.
Here's what it looks like when Chrome discovers a certificate was issued by a certificate authority that it doesn't trust:
Screenshot of Chrome loading a website with an invalid certificate. Chrome address bar displays red warning icon, and text "Not secure". Instead of webpage content, Chrome displays warning "Your connection is not private. Attackers might be trying to steal your information from untrusted-root.badssl.com (for example, passwords, messages, or credit cards)." plus error code "NET::ERR_CERT_AUTHORITY_INVALID".
If the certificate is valid and everything else goes smoothly in the TLS setup, most browsers will display a lock in the address bar. That lock indicates a secured connection over HTTPS.
Here's the lock icon for Firefox:
Screenshot of Firefox loading a secure website. Address bar displays an information icon, green lock icon, and URL "https://www.google.com".
Clicking that lock icon yields even more information about the site's security:
Screenshot of Firefox loading a secure website. Address bar displays an information icon, green lock icon, and URL "https://www.google.com". A pop-up over information icon says "Site information for www.google.com, Connection: Secure Connection".
The benefits of HTTPS
An HTTPS connection ensures that only the browser and the secured domain see the data in HTTP requests and responses. Onlookers can still see that a particular IP address is communicating with another domain/IP and they can see how long that connection lasts. But those onlookers can't see the content of the communication, which includes the full URL path, the webpage HTML, and any text submitted in forms. Right now, an onlooker may know you're visiting khanacademy.org, but they don't know you're reading an article about HTTPS.
HTTPS also prevents tampering of website content. When a website is secured over a standard HTTP connection, the packets can be intercepted and their contents replaced. If an attacker or even a government agency intercepts visits to a news site, they can easily serve up fake news. TLS includes a mechanism to detect packet alterations, so HTTPS connections are resistant to tampering.
Many organizations believe that every website should serve all connections over HTTPS, due to the massive benefits. As of February 2019, around half of the top million websites use HTTPS by default. Will that ever reach 100%? You can help us get there by asking your favorite websites to use HTTPS or becoming a security-savvy web developer yourself.
🙋🏽🙋🏻♀️🙋🏿♂️Do you have any questions about this topic? We'd love to answer—just ask in the questions area below!
Want to join the conversation?
- "With standard HTTP, many people can: cybercriminals intercepting packets, ISPs monitoring traffic, government agencies tapping into the fiber cables that make up the backbone of the internet. Using well-known exploits, they can read the contents of every website and even inject their own contents."(2 votes)
- why cant it mark as read(1 vote)
- What are the pros and cons of http/https?(0 votes)
- Https is better... it is basically http but with better encryption and more verification. It is safer and more secure.(1 vote)
- How does http/https have anything to do with TLS? Because I think the article said that with https, you are on a TLS connection.(0 votes)
- With HTTP you are just sending standard HTTP requests and getting standard HTTP responses. With HTTPS you are implementing the TLS protocol on top of TCP/IP - meaning if the url has https at the start - you have that extra layer of security (which is TLS).(2 votes)
- Can you visit a site that does not use any form of http, but another system?(0 votes)
- You could use ftp for file transfer or you could use SMTP the simple mail protocol (or maybe POP3 another mail protocol). Or rather you probably use them without noticing.
Those protocols serve other functions than HTTP (file and mail transfer), but are obviously also important.
But to visit actual websites with your web browser, that's a job for HTTP.(2 votes)
- Hi everyone. A question just popped up. How a domain can indicate their use of HTTPS when accessed via other interface than a browser i.e. a smartphone app or windows program, like when using my online banking application or a dictionary program on Windows that provides search results from Wikipedia beside dictionary results from Google Translate?(0 votes)